EITest Campaign at 85.93.0.32

This isn’t going to be an extensive look into the EITest Campaign as Brad from Malware-traffic-analysis.net has already done great work on this subject. You can also check on my post here for more details. It is more or less an update in some activity I’ve been seeing lately.

Just by looking at these requests I could tell one was a gate and the other an EK. However, I didn’t know the referer for the redirect as we don’t always get packets.

After searching surrounding HTTP traffic I noticed a lot of URLs containing “Solid” and “Works”. I narrowed down my search to a couple suspicious domains and began looking through the HTML code. I eventually found the site responsible for the redirect:

solidapps.co[.]uk/blog/tag/solidworks-world-2017/

Below is the injected script from 2/11/16:

Making a request to the site caused the following Sguil alerts:

Following the TCP stream I could see a request for the flash redirector:

Submitting the file to VirusTotal shows it has pretty good detection with a ratio of 12/54 for Trojan:SWF/EITest.A.

My VM wasn’t redirected to a EK landing page this time but here you can see the script on the gate:

Some other things to note are that 3 other host redirected to the EITest gate from the following URIs on the same day: